Hi Tony,
I am looking at this issue now and I can't reproduce it in here. When
I set to "no" in the
installer, it adds the following lines to my ossec.conf:
<active-response>
<disabled>yes</disabled>
</active-response>
And when OSSEC starts it logs:
2009/03/25 10:45:02 ossec-execd(1350): INFO: Active response disabled. Exiting.
Can you check if that entry is in your config? Also, which version of
ossec were you using?
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Fri, Feb 20, 2009 at 1:22 PM, Tony Lastowka <[email protected]> wrote:
>
> A few weeks back we had a problem with active response on a specific
> machine and decided we didn't need it running on that machine.
>
> I reinstalled the ossec agent on that machine, and specifically told it
> NOT to enable active response in the installer.
>
> Today it was noticed it was still running firewall/host.deny add/drops.
>
> I thought maybe it had somehow carried over settings from the old
> installation, so this time I completely removed ossec from the machine,
> deleted the source, deleted the agent from the server and reinstalled it
> entirely fresh with a new agent id. I answered no again to the active
> response question and confirmed it replied " - Active response disabled."
>
> We then ran another test, and it is STILL executing active response.
> For the time being, i've removed execute permissions from the
> active-response scripts on the machine so active response just fails,
> but the question remains, why is it running at all when the question
> about enabling active response is specifically answered no during the
> installation?
>
> ossec.log with the execute permissions removed
> ----
> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/maillog'.
> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/httpd/error_log'.
> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
> '/var/log/httpd/access_log'.
> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
> '/etc/httpd/logs/access_log'.
> 2009/02/20 11:10:18 ossec-logcollector(1950): INFO: Analyzing file:
> '/etc/httpd/logs/error_log'.
> 2009/02/20 11:10:18 ossec-logcollector: INFO: Started (pid: 745).
> 2009/02/20 11:11:39 ossec-execd: INFO: Active response command not
> present: '/usr/local/ossec/active-response/bin/test-command.sh'. Not
> using it on this system.
> 2009/02/20 11:11:39 ossec-execd(1312): ERROR: Error executing
> '/usr/local/ossec/active-response/bin/host-deny.sh': Permission denied
> 2009/02/20 11:11:39 ossec-execd(1312): ERROR: Error executing
> '/usr/local/ossec/active-response/bin/firewall-drop.sh': Permission denied
>
>
> Termcap of the install q/a
> ----
> 1- What kind of installation do you want (server, agent, local or help)?
> agent
>
> - Agent(client) installation chosen.
>
> 2- Setting up the installation environment.
>
> - Choose where to install the OSSEC HIDS [/var/ossec]: /usr/local/ossec
>
> - Installation will be made at /usr/local/ossec .
>
> - The installation directory already exists. Should I delete it?
> (y/n) [y]:
>
> 3- Configuring the OSSEC HIDS.
>
> 3.1- What's the IP Address of the OSSEC HIDS server?: 192.168.5.235
>
> - Adding Server IP 192.168.5.235
>
> 3.2- Do you want to run the integrity check daemon? (y/n) [y]:
>
> - Running syscheck (integrity check daemon).
>
> 3.3- Do you want to run the rootkit detection engine? (y/n) [y]:
>
> - Running rootcheck (rootkit detection).
>
> 3.4 - Do you want to enable active response? (y/n) [y]: n
>
> - Active response disabled.
>
>
>
>
